Jump to content

powershell virus - 1 of 3 exes undetected (virustotal) but seems malicious


Go to solution Solved by JSntgRvr,

Recommended Posts

Hello,

 

I downloaded something sketchy recently, and was fascinated when it ran a script, but didn't install the program I wanted. Then curiosity got to me, and I saved the temporary files it made, before closing the powershell console.

 

After editing the script, I felt safe enough to rerun it. It downloads 3 exes, including the opera browser. One or two of these were detected as a virus. The first one however, which included the Opera browser, was not detected by virustotal, except by it's behavioural analysis. And in this analysis, it found a reference to laZagne, a password stealing program

This is the report for the 3 files: https://www.virustotal.com/gui/file/7d3d67d0eb714db873bf26a73f55aa6481a4be84eb24828a48a53ee71126b08c/behavior

https://www.virustotal.com/gui/file-analysis/YmY5MDU3Y2QzYjNkNTg5ZmZmNzczMWRiZDQxMGVlZTI6MTcyNjYxNzQ1MA==

https://www.virustotal.com/gui/file/da1b144b5f908cb7e811489dfe660e06aa6df9c9158c6972ec9c79c48afacb7e

I've ran a few antivirus programs, but don't feel confident yet that it's been removed, since the undetected file seemed to include a password miner

Addition_18-09-2024 08.57.15.txt FRST_18-09-2024 08.57.15.txt Shortcut_18-09-2024 08.57.15.txt malwarebytes-log.zip

Link to post
Share on other sites

Of the three Virus Total URLs, two were old reports and not updated.  One was recently updated.  I have updated all three.

Of the three one has zero detections.  The other two are detected by Malwarebytes ...

  1. Static Detection - Trojan.Dropper
  2. Heuristic Detection - Malware.AI.2010616765

I have submitted two of those files on your behalf

RE:  From a Malware Removal thread

 

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
  • Like 2
Link to post
Share on other sites

Welcome smile.png
 
I'll be helping you with your computer.
 
Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. smile.png

Let's begin... 

Let run a script to review some of the settings:

The following Fix will empty these folders:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin
  • Hosts file will be reset

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns, please ask before running this fix.

The system will be rebooted after the fix has run.

FRST64 was saved as D:\MSI\FRST64.exe

  • Download the enclosed file  
  • Save it in the same location FRST64 is saved.
  • Start FRST (FRST64) with Administrator privileges
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

Lets try an online scanner:


Please run the following ESET Online Scanner and perform a Full Scan
 
Click the following link to save the installer for ESET Online Scanner
https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started.
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Fixlist.txt

Edited by JSntgRvr
  • Like 1
Link to post
Share on other sites

David, thanks for checking those VirusTotal reports and updating them. I'm a bit new to this process

JSntgRvr, thanks for helping me to recover from this virus. I'll upload the FRST file, and will also read through it, out of curiosity, and wanting to make sure it's able to restore things. I like to read through and understand what's happening, and to do some of it myself if possible. To try and follow clues for what's happened on the computer. I'll add any results from ESET

Fixlog.txt

  • Thanks 1
Link to post
Share on other sites

I'm having trouble running the ESET online program. Each time it nearly finishes updating the definition, it closes. I've installed a trial of ESET internet security in the meantime, unfortunately in doing this, i'm not strictly adhering to the instructions given to me, not to install or uninstall things

Link to post
Share on other sites

There are some entries in your M: drive that have been detected by Microsoft Defender. These are related to D:\MSI\aurora-agent-lite-win-pack. Do you recognize this program?

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply
Link to post
Share on other sites

I might have made a mistake allowing that one past windows defender. There's a github entry about it, and I came to the conclusion that it was a necessary part of a program called SigmaHQ, which I've never used before, but it seemed useful. I assumed it was a well known program, but will remove it. And although i'm generally skilled with computers, it's something I don't know a whole lot about.

 

Thankyou for helping me with this. This other scanner you suggested has found an adware program in a system folder, SysWOW64. I'm happy to see things being found!

cureit.log

Link to post
Share on other sites

It's very pleasing to see Windows Resource Protection making some changes!

I may have found that program using the only search term I remembered: Adware

C:\windows\SysWOW64\K8062e.exe - is adware program Adware.DealPly.506

But the program seems to have removed it

Link to post
Share on other sites

Yes. That file was not part of any logs produced. Each Antivirus\Antimalware program has its own database. Whatever is missed by one, the other will pick.

If you feel insecure, we may run another scan. This however will take some time to complete:

Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

[ 2 ]

Microsoft Safety Scanner

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours to complete.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run and saved in the log.
  • The scan may take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware. )

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found and did.

  • Like 1
Link to post
Share on other sites

It seems ok. I even traced the ps1 agent detection that I posted a screenshot of, and when I took the script out of quarantine and viewed it, it seemed to be a file included in an arduino library. A template that could be used by someone making a ducky exploit. An unusual thing to find in an arduino library.
 

I’ve kept a trial of ESET internet running in the background, and it hasn’t noticed anything unusual with real time protection. I even changed many of my passwords after reading into the VirusTotal stuff, and getting worried about the potential for them to be taken. But it’s possible the virus didn’t get a chance to do that yet

Link to post
Share on other sites

  • Solution

Glad to know. Lets cleanup:

Please download KpRm by Kernel-panik and save to your Desktop.

  • Click on KpRm.exe to run the tool.

Vista/Windows 7/8/10/11 users right-click and select Run As Administrator.

  • Put a check mark next to these items:

- Delete tools

- Delete Restore Points

- Create Restore Point

- Delete now

  • Click the "Run" button.

automatic.png

  • When the tool has finished, it will create and open a log report and delete itself.

A few final recommendations:
 
The following information will help you to keep your computer and data safer as well as improve your overall privacy

Malwarebytes Browser Guard

uBlock Origin

Cybersecurity basics & protection
 
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity
 
Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/
 
Please review the following to help you better protect your computer and privacy
 
Tips to help protect from infection
 
Hopefully, we've been able to assist you with correcting your system issues.
 
Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal.

Regards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.